RNMAP
=-=-=


Introduction
------------

Hi,

Few words about my little software project written in Python.
Remote Nmap (Rnmap) package contains both client and server programs.
Actual idea for this sofware is that various clients can contact to
one centralized Rnmap server and do their portscannings.
Server does user authentication and uses excellent Nmap
scanner to do actual portscanning.

Contents
--------

In the ./server directory:

    rnmap_server.py
    ---------------

    This is server which does user authentication and portscanning.
    It uses following configuration files in it's directory:
    filter.conf (optional) and users.list (needed) generated by
    rnmap-adduser program. filter.conf contains filtering method and 
    hostlist for it (look at actual file) and users.list contains user 
    logID's and passwords (MD5 hashed) and should be only root read/writeable.
    Server generates logfile (rnmap_server.log) in it's main directory. 
    Default port and Nmap path for server are 3500 and /usr/bin/nmap,
    these can be overridden with commandline parameters (try --help).
    Server is tested mostly on Linux, but also FreeBSD, OpenBSD and
    Solaris seems to work. Generally it should run on any *nix platform
    as long Nmap and Python are available for them.

    rnmap-adduser.py
    ----------------

    With this program rnmapd admin can create new user accounts.
    Passwords are MD5 hashed.

In the ./client directory:

    grnmap.py
    ---------

    This is Tkinter frontend client for rnmap_server.py.
    It should run on any Python and Tkinter supported platform.

    rnmap.py
    --------

    This is console client for rnmap_server.py. All other Nmap options should
    be in use except '-oN', '-oM', '-oS', '-oX', '--resume' and '-iL', default
    mode is '-oN' but '-oM', '-oS' and '-oX' can be used with '--mparseable',
    '--scriptkiddie' and '--xml' commandline parameters. Use 'rnmap.py --help'
    to see how to use rnmap.py.


Protocol
--------

The protocol is simple. It utilize colon separated string.

client to server:
=================

Plaintext mode:
code:username:password:scancommand

Ciphertext mode:
code:username:password:scancommand:: symmetrickey + iv
     |                           |   |          |
      ---------------------------     ----------
      This is field encrypted with   This field is
        symmetric session key        encrypted with
				   server's public key
					
Codes:				     
======
100  =  Plaintext communications
101  =  Ciphertext communications
102  =  Public key request


server to client:
=================
code:data

In encryption mode whole message is encrypted with session key
and has iv (initialization vector) at the end of the message.

Codes:
======

103  =  Public key offer
201  =  Succesful (returns Nmap result in data field)
202  =  Access permitted
401  =  Access denied
402  =  Operation failed
403  =  Unknown command
404  =  Operation denied
405  =  No encryption support
406  =  Plaintext connection refused
407  =  Too weak encryption key

e.g. 202:Access permitted


Cryptography support
====================

Now rnmap supports encryption. You need amkCrypto Python cryptography 
package for server and client to use this feature. It is based on mxCrypto
and Andrew Kuchling's original Python Cryptography toolkit.

Rnmap uses RSA asymmetric algorithm to encrypt symmetric session keys.
Default length for RSA keys is 1024 bits, but this can be changed with
Rsakeylength variable (rnmap_server.py).

Symmetric algorithm used to encrypt all other data is Blowfish (CBC mode)
with 128 bit session keys.

If you want to start rnmapd which refuses plaintext connections use --noplain
commandline parameter.


REQUIREMENTS
------------

rnmap_server.py:
  - Python (www.python.org)
  - Nmap portscanner (www.insecure.org)

grnmap.py & rnmap.py:
  - Python (www.python.org)

For cryptography (optional):
  - amkCrypto python cryptography package (http://www.amk.ca/python/code/crypto.html)
  - System with /dev/urandom device (Linux, FreeBSD, OpenBSD)

NOTES
-----

If you use rnmap server with telnet, remember to include Nmap log form option
without a filename at the end of scancommand field or your scan will fail.

Let me know if you found bugs (I'm sure you will :)) and send suggestions to me.
Also I'm glad if you let me know how rnmap_server.py, grnmap.py and rnmap.py runs
on platforms that I haven't tested yet.

Author
------

Tuomo Makinen
tmakinen@pp.htv.fi
